Skip to content

Commit

Permalink
Update bip-0352.mediawiki
Browse files Browse the repository at this point in the history
Co-authored-by: Vojtěch Strnad <43024885+vostrnad@users.noreply.github.com>
  • Loading branch information
josibake and vostrnad authored Aug 4, 2023
1 parent 537ab3e commit 16855c9
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion bip-0352.mediawiki
Original file line number Diff line number Diff line change
Expand Up @@ -292,7 +292,7 @@ After the inputs have been selected, the sender can create one or more outputs f
*** Let ''P<sub>mn</sub> = B<sub>m</sub> + t<sub>n</sub>·G''
*** Encode ''P<sub>mn</sub>'' as a [https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki BIP341] taproot output
*** Optionally, repeat with n++ to create additional outputs for the current ''B<sub>m</sub>''
*** If no additional outputs are required, continue to the next ''B<sub>m</sub>'' with ''n++''<ref name="why_not_the_same_tn">''' Why not re-use ''t<sub>n</sub>''? when paying different labels to the same receiver?''' If paying the same entity but to two separate labeled addresses in the same transaction without incrementing ''n'', the two outputs would be ''B<sub>spend</sub> + t<sub>n</sub>·G + i·G'' and ''B<sub>spend</sub> + t<sub>n</sub>·G + j·G''. The attacker could subtract the two values and observe that the distance between i and j is small. This would allow them to deduce that this transaction is a silent payment transaction and that a single entity received two outputs, but won't tell them who the entity is.</ref>
*** If no additional outputs are required, continue to the next ''B<sub>m</sub>'' with ''n++''<ref name="why_not_the_same_tn">''' Why not re-use ''t<sub>n</sub>'' when paying different labels to the same receiver?''' If paying the same entity but to two separate labeled addresses in the same transaction without incrementing ''n'', the two outputs would be ''B<sub>spend</sub> + t<sub>n</sub>·G + i·G'' and ''B<sub>spend</sub> + t<sub>n</sub>·G + j·G''. The attacker could subtract the two values and observe that the distance between i and j is small. This would allow them to deduce that this transaction is a silent payment transaction and that a single entity received two outputs, but won't tell them who the entity is.</ref>
** Optionally, if the sending wallet implements receiving silent payments, it can create change outputs in the following manner:
*** Let ''A<sub>change</sub> = A<sub>spend</sub> + sha256(ser<sub>256</sub>(a<sub>scan</sub>))·G''
*** Let ''change_shared_secret = outpoints_hash·a·A<sub>scan</sub>''
Expand Down

0 comments on commit 16855c9

Please sign in to comment.